Update chart; Add simple test

2026-01-20 04:23:09 -06:00 · 2022-12-22 13:00:36 +01:00 · 2022-12-22 13:00:36 +01:00 · e0eb28d061
parent c77a10ea06
commit e0eb28d061
11 changed files with 211 additions and 165 deletions
--- a/helm/dendrite/README.md
+++ b/helm/dendrite/README.md
@ -41,55 +41,56 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| clientapi.registration.enable_registration_captcha | bool | `false` | enable reCAPTCHA registration |
+| clientapi.enable_registration_captcha | bool | `false` | enable reCAPTCHA registration |
-| clientapi.registration.guests_disabled | bool | `true` |  |
+| clientapi.guests_disabled | bool | `true` |  |
-| clientapi.registration.recaptcha_bypass_secret | string | `""` | reCAPTCHA bypass secret |
+| clientapi.rate_limiting.cooloff_ms | int | `500` | Cooloff time in milliseconds |
-| clientapi.registration.recaptcha_private_key | string | `""` | reCAPTCHA private key |
+| clientapi.rate_limiting.enabled | bool | `true` | Enable rate limiting |
-| clientapi.registration.recaptcha_public_key | string | `""` | reCAPTCHA public key |
+| clientapi.rate_limiting.exempt_user_ids | string | `nil` | Users which should be exempt from rate limiting |
-| clientapi.registration.recaptcha_siteverify_api | string | `""` |  |
+| clientapi.rate_limiting.threshold | int | `20` | After how many requests a rate limit should be activated |
-| clientapi.registration.registration_disabled | bool | `true` | Prevents new users from being able to register on this homeserver, except when using the registration shared secret below. |
+| clientapi.recaptcha_bypass_secret | string | `""` | reCAPTCHA bypass secret |
-| clientapi.registration.shared_secret | string | `""` | If set, allows registration by anyone who knows the shared secret, regardless of whether registration is otherwise disabled. |
+| clientapi.recaptcha_private_key | string | `""` | reCAPTCHA private key |
-| configuration.cache.max_age | string | `"1h"` | The maximum amount of time that a cache entry can live for in memory before it will be evicted and/or refreshed from the database. Lower values result in easier admission of new cache entries but may also increase database load in comparison to higher values, so adjust conservatively. Higher values may make it harder for new items to make it into the cache, e.g. if new rooms suddenly become popular. |
+| clientapi.recaptcha_public_key | string | `""` | reCAPTCHA public key |
-| configuration.cache.max_size_estimated | string | `"1gb"` | The estimated maximum size for the global cache in bytes, or in terabytes, gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or 'kb' suffix is specified. Note that this is not a hard limit, nor is it a memory limit for the entire process. A cache that is too small may ultimately provide little or no benefit. |
+| clientapi.recaptcha_siteverify_api | string | `""` |  |
-| configuration.database.conn_max_lifetime | int | `-1` | Default database maximum lifetime |
+| clientapi.registration_disabled | bool | `true` | Prevents new users from being able to register on this homeserver, except when using the registration shared secret below. |
-| configuration.database.host | string | `""` | Default database host |
+| clientapi.shared_secret | string | `""` | If set, allows registration by anyone who knows the shared secret, regardless of whether registration is otherwise disabled. |
-| configuration.database.max_idle_conns | int | `2` | Default database maximum idle connections |
+| clientapi.turn.turn_password | string | `""` | The TURN password |
-| configuration.database.max_open_conns | int | `90` | Default database maximum open connections |
+| clientapi.turn.turn_shared_secret | string | `""` |  |
-| configuration.database.password | string | `""` | Default database password |
+| clientapi.turn.turn_uris | list | `[]` |  |
-| configuration.database.user | string | `""` | Default database user |
+| clientapi.turn.turn_user_lifetime | string | `"24h"` | Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
-| configuration.disable_federation | bool | `false` | Disable federation. Dendrite will not be able to make any outbound HTTP requests to other servers and the federation API will not be exposed. |
+| clientapi.turn.turn_username | string | `""` | The TURN username |
 | configuration.dns_cache.cache_lifetime | string | `"10m"` | Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
 | configuration.dns_cache.cache_size | int | `256` | Maximum number of entries to hold in the DNS cache |
 | configuration.dns_cache.enabled | bool | `false` | Whether or not the DNS cache is enabled. |
 | configuration.key_validity_period | string | `"168h0m0s"` |  |
 | configuration.logging | list | [default dendrite config values](https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml) | Default logging configuration |
 | configuration.metrics.basic_auth.password | string | `"metrics"` | HTTP basic authentication password |
 | configuration.metrics.basic_auth.user | string | `"metrics"` | HTTP basic authentication username |
 | configuration.metrics.enabled | bool | `false` | Whether or not Prometheus metrics are enabled. |
 | configuration.mscs | list | `["msc2946"]` | Configuration for experimental MSC's. (Valid values are: msc2836 and msc2946) |
 | configuration.profiling.enabled | bool | `false` | Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF, as it will only listen on localhost and the defined port. e.g. `kubectl port-forward deployments/dendrite 65432:65432` |
 | configuration.profiling.port | int | `65432` | pprof port, if enabled |
 | configuration.rate_limiting.cooloff_ms | int | `500` | Cooloff time in milliseconds |
 | configuration.rate_limiting.enabled | bool | `true` | Enable rate limiting |
 | configuration.rate_limiting.threshold | int | `20` | After how many requests a rate limit should be activated |
 | configuration.server_name | string | `""` | Servername for this Dendrite deployment |
 | configuration.signing_key.create | bool | `true` | Create a new signing key, if not exists |
 | configuration.signing_key.existingSecret | string | `""` | Use an existing secret |
 | configuration.tracing | object | disabled | Default tracing configuration |
 | configuration.trusted_third_party_id_servers | list | `["matrix.org","vector.im"]` | Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses. |
 | configuration.turn.turn_password | string | `""` | The TURN password |
 | configuration.turn.turn_shared_secret | string | `""` |  |
 | configuration.turn.turn_uris | list | `[]` |  |
 | configuration.turn.turn_user_lifetime | string | `"24h"` | Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
 | configuration.turn.turn_username | string | `""` | The TURN username |
 | configuration.well_known_client_name | string | `""` | The server name to delegate client-server communications to, with optional port e.g. localhost:443 |
 | configuration.well_known_server_name | string | `""` | The server name to delegate server-server communications to, with optional port e.g. localhost:443 |
 | federationapi.disable_tls_validation | bool | `false` | Disable TLS validation |
 | federationapi.prefer_direct_fetch | bool | `false` |  |
 | federationapi.send_max_retries | int | `16` |  |
 | global.cache.max_age | string | `"1h"` | The maximum amount of time that a cache entry can live for in memory before it will be evicted and/or refreshed from the database. Lower values result in easier admission of new cache entries but may also increase database load in comparison to higher values, so adjust conservatively. Higher values may make it harder for new items to make it into the cache, e.g. if new rooms suddenly become popular. |
 | global.cache.max_size_estimated | string | `"1gb"` | The estimated maximum size for the global cache in bytes, or in terabytes, gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or 'kb' suffix is specified. Note that this is not a hard limit, nor is it a memory limit for the entire process. A cache that is too small may ultimately provide little or no benefit. |
 | global.database.conn_max_lifetime | int | `-1` | Default database maximum lifetime |
 | global.database.host | string | `""` | Default database host |
 | global.database.max_idle_conns | int | `2` | Default database maximum idle connections |
 | global.database.max_open_conns | int | `90` | Default database maximum open connections |
 | global.database.password | string | `""` | Default database password |
 | global.database.user | string | `""` | Default database user |
 | global.disable_federation | bool | `false` | Disable federation. Dendrite will not be able to make any outbound HTTP requests to other servers and the federation API will not be exposed. |
 | global.dns_cache.cache_lifetime | string | `"10m"` | Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
 | global.dns_cache.cache_size | int | `256` | Maximum number of entries to hold in the DNS cache |
 | global.dns_cache.enabled | bool | `false` | Whether or not the DNS cache is enabled. |
 | global.key_validity_period | string | `"168h0m0s"` |  |
 | global.logging | list | [default dendrite config values](https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml) | Default logging configuration |
 | global.metrics.basic_auth.password | string | `"metrics"` | HTTP basic authentication password |
 | global.metrics.basic_auth.user | string | `"metrics"` | HTTP basic authentication username |
 | global.metrics.enabled | bool | `false` | Whether or not Prometheus metrics are enabled. |
 | global.mscs | list | `["msc2946"]` | Configuration for experimental MSC's. (Valid values are: msc2836 and msc2946) |
 | global.presence | object | `{"enable_inbound":false,"enable_outbound":false}` | Configures the handling of presence events. Inbound controls whether we receive presence events from other servers, outbound controls whether we send presence events for our local users to other servers. |
 | global.profiling.enabled | bool | `false` | Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF, as it will only listen on localhost and the defined port. e.g. `kubectl port-forward deployments/dendrite 65432:65432` |
 | global.profiling.port | int | `65432` | pprof port, if enabled |
 | global.report_stats | object | `{"enabled":false,"endpoint":"https://matrix.org/report-usage-stats/push"}` | Configures phone-home statistics reporting. These statistics contain the server name, number of active users and some information on your deployment config. We use this information to understand how Dendrite is being used in the wild. |
 | global.server_name | string | `""` | Servername for this Dendrite deployment |
 | global.server_notices | object | `{"avatar_url":"","display_name":"Server Alerts","enabled":false,"local_part":"_server","room_name":"Server Alerts"}` | Server notices allows server admins to send messages to all users on the server. |
 | global.tracing | object | disabled | Default tracing configuration |
 | global.trusted_third_party_id_servers | list | `["matrix.org","vector.im"]` | Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses. |
 | global.well_known_client_name | string | `""` | The server name to delegate client-server communications to, with optional port e.g. localhost:443 |
 | global.well_known_server_name | string | `""` | The server name to delegate server-server communications to, with optional port e.g. localhost:443 |
 | image.name | string | `"ghcr.io/matrix-org/dendrite-monolith:v0.10.8"` | Docker repository/image to use |
 | image.pullPolicy | string | `"IfNotPresent"` | Kubernetes pullPolicy |
 | ingress.annotateFor | string | `""` |  |
 | ingress.annotations | object | `{}` | Extra, custom annotations |
 | ingress.className | string | `""` |  |
 | ingress.enabled | bool | `false` | Create an ingress for a monolith deployment |
@ -117,6 +118,8 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | resources | object | sets some sane default values | Default resource requests/limits. |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | signing_key.create | bool | `true` | Create a new signing key, if not exists |
 | signing_key.existingSecret | string | `""` | Use an existing secret |
 | syncapi.real_ip_header | string | `"X-Real-IP"` | This option controls which HTTP header to inspect to find the real remote IP address of the client. This is likely required if Dendrite is running behind a reverse proxy server. |
 | syncapi.search | object | `{"enabled":false,"language":"en"}` | Configuration for the full-text search engine. |
 | syncapi.search.enabled | bool | `false` | Whether or not search is enabled. |
--- a/helm/dendrite/ci/ct-ingress-values.yaml
+++ b/helm/dendrite/ci/ct-ingress-values.yaml
@ -2,7 +2,7 @@
 postgresql:
  enabled: true
-configuration:
+global:
  server_name: "localhost"
 ingress:
--- a/helm/dendrite/ci/ct-postgres-values.yaml
+++ b/helm/dendrite/ci/ct-postgres-values.yaml
@ -2,5 +2,5 @@
 postgresql:
  enabled: true
-configuration:
+global:
  server_name: "localhost"
--- a/helm/dendrite/templates/_helpers.tpl
+++ b/helm/dendrite/templates/_helpers.tpl
@ -1,14 +1,14 @@
 {{- define "validate.config" }}
-{{- if not .Values.configuration.signing_key.create -}}
+{{- if not .Values.signing_key.create -}}
 {{-  fail "You must create a signing key for configuration.signing_key. (see https://github.com/matrix-org/dendrite/blob/master/docs/INSTALL.md#server-key-generation)" -}}
 {{- end -}}
-{{- if not (or .Values.configuration.database.host .Values.postgresql.enabled) -}}
+{{- if not (or .Values.global.database.host .Values.postgresql.enabled) -}}
 {{-  fail "Database server must be set." -}}
 {{- end -}}
-{{- if not (or .Values.configuration.database.user .Values.postgresql.enabled) -}}
+{{- if not (or .Values.global.database.user .Values.postgresql.enabled) -}}
 {{-  fail "Database user must be set." -}}
 {{- end -}}
-{{- if not (or .Values.configuration.database.password .Values.postgresql.enabled) -}}
+{{- if not (or .Values.global.database.password .Values.postgresql.enabled) -}}
 {{-  fail "Database password must be set." -}}
 {{- end -}}
 {{- end -}}
--- a/helm/dendrite/templates/deployment.yaml
+++ b/helm/dendrite/templates/deployment.yaml
@ -4,7 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: {{ $.Release.Namespace }}
-  name: {{ $.Chart.Name }}
+  name: {{ include "dendrite.fullname" . }}
  labels:
    app: {{ $.Chart.Name }}
 spec:
@ -23,7 +23,7 @@ spec:
          secretName: {{ .Release.Name }}-conf
      - name: {{ .Release.Name }}-signing-key
        secret:
-          secretName: {{ default (print .Release.Name "-signing-key") $.Values.configuration.signing_key.existingSecret | quote }}
+          secretName: {{ default (print .Release.Name "-signing-key") $.Values.signing_key.existingSecret | quote }}
      {{- if (gt (len ($.Files.Glob "appservices/*")) 0) }}
      - name:{{ .Release.Name }}-appservices
        secret:
@ -48,10 +48,10 @@ spec:
          - name: http
            containerPort: 8008
            protocol: TCP
-        {{- if $.Values.configuration.profiling.enabled }}
+        {{- if $.Values.global.profiling.enabled }}
        env:
          - name: PPROFLISTEN
-            value: "localhost:{{- $.Values.configuration.profiling.port -}}"
+            value: "localhost:{{- $.Values.global.profiling.port -}}"
        {{- end }}
        resources:
        {{- toYaml $.Values.resources | nindent 10 }}
--- a/helm/dendrite/templates/ingress.yaml
+++ b/helm/dendrite/templates/ingress.yaml
@ -19,15 +19,6 @@ metadata:
  labels:
    {{- include "dendrite.labels" . | nindent 4 }}
  annotations:
    {{- if eq .Values.ingress.annotateFor "nginx" }}
    nginx.ingress.kubernetes.io/upstream-hash-by: "$http_authorization"
    nginx.org/proxy-connect-timeout: 60s
    nginx.org/proxy-read-timeout: 60s
    {{- else if eq .Values.ingress.annotateFor "openshift" }}
    route.openshift.io/termination: edge
    haproxy.router.openshift.io/balance: source
    haproxy.router.openshift.io/timeout: 60000ms
    {{- end}}
    {{- with .Values.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
--- a/helm/dendrite/templates/jobs.yaml
+++ b/helm/dendrite/templates/jobs.yaml
@ -1,4 +1,4 @@
-{{ if and .Values.configuration.signing_key.create (not .Values.configuration.signing_key.existingSecret ) }}
+{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret ) }}
 {{ $name := (print .Release.Name "-signing-key") }}
 {{ $secretName := (print .Release.Name "-signing-key") }}
 ---
--- a/helm/dendrite/templates/secrets.yaml
+++ b/helm/dendrite/templates/secrets.yaml
@ -9,7 +9,7 @@ type: Opaque
 data:
 {{ (.Files.Glob "appservices/*").AsSecrets | indent 2 }}
 {{ end }}
-{{ if and .Values.configuration.signing_key.create (not .Values.configuration.signing_key.existingSecret) }}
+{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret) }}
 ---
 apiVersion: v1
 kind: Secret
@ -21,7 +21,7 @@ metadata:
 type: Opaque
 {{ end }}
-{{- $connectionString := print "postgresql://" .Values.configuration.database.user ":" .Values.configuration.database.password "@" .Values.configuration.database.host }}
+{{- $connectionString := print "postgresql://" .Values.global.database.user ":" .Values.global.database.password "@" .Values.global.database.host }}
 {{- if .Values.postgresql.enabled }}
 {{- $connectionString = print "postgresql://" .Values.postgresql.auth.username ":" .Values.postgresql.auth.password "@" .Release.Name "-postgresql/dendrite" -}}
 {{ end }}
@ -36,33 +36,39 @@ stringData:
  dendrite.yaml: |
    version: 2
    global:
-      server_name: {{ .Values.configuration.server_name }}
+      server_name: {{ .Values.global.server_name }}
      private_key: /etc/dendrite/secrets/signing.key
      key_id: ed25519:auto
-      key_validity_period: {{ .Values.configuration.key_validity_period | quote }}
+      key_validity_period: {{ .Values.global.key_validity_period | quote }}
      database:
        connection_string: {{ $connectionString }}?sslmode=disable
-        max_open_conns: {{ default 90 .Values.configuration.database.max_open_conns }}
+        max_open_conns: {{ default 90 .Values.global.database.max_open_conns }}
-        max_idle_conns: {{ default 5 .Values.configuration.database.max_idle_conns }}
+        max_idle_conns: {{ default 5 .Values.global.database.max_idle_conns }}
-        conn_max_lifetime: {{ default -1 .Values.configuration.database.conn_max_lifetime }}
+        conn_max_lifetime: {{ default -1 .Values.global.database.conn_max_lifetime }}
      cache:
-        max_size_estimated: {{ default "1gb" .Values.configuration.cache.max_size_estimated | quote }}
+        max_size_estimated: {{ default "1gb" .Values.global.cache.max_size_estimated | quote }}
-        max_age: {{ default "1h" .Values.configuration.cache.max_age }}
+        max_age: {{ default "1h" .Values.global.cache.max_age }}
-      well_known_server_name: {{ default "" .Values.configuration.well_known_server_name | quote }}
+      well_known_server_name: {{ default "" .Values.global.well_known_server_name | quote }}
-      well_known_client_name: {{ default "" .Values.configuration.well_known_client_name | quote }}
+      well_known_client_name: {{ default "" .Values.global.well_known_client_name | quote }}
      trusted_third_party_id_servers:
-      {{- toYaml .Values.configuration.trusted_third_party_id_servers | nindent 8 }}
+      {{- toYaml .Values.global.trusted_third_party_id_servers | nindent 8 }}
-      disable_federation: {{ .Values.configuration.disable_federation }}
+      disable_federation: {{ .Values.global.disable_federation }}
      report_stats:
        {{- toYaml .Values.global.report_stats | nindent 8 }}
      presence:
        {{- toYaml .Values.global.presence | nindent 8 }}
      server_notices:
        {{- toYaml .Values.global.server_notices | nindent 8 }}
      jetstream:
        in_memory: false
        storage_path: /data/jetstream
      metrics:
-        {{- toYaml .Values.configuration.metrics | nindent 8 }}
+        {{- toYaml .Values.global.metrics | nindent 8 }}
      dns_cache:
-        {{- toYaml .Values.configuration.dns_cache | nindent 8 }}
+        {{- toYaml .Values.global.dns_cache | nindent 8 }}
    mscs:
      mscs:
-        {{- toYaml .Values.configuration.mscs | nindent 8 }}
+        {{- toYaml .Values.global.mscs | nindent 8 }}
    app_service_api:
      config_files:
        {{- range $x, $y := .Files.Glob "appservices/*" }}
@ -70,19 +76,19 @@ stringData:
        {{ end }}
    client_api:
    {{- with .Values.clientapi }}
-      registration_disabled: {{ .registration.registration_disabled }}
+      registration_disabled: {{ .registration_disabled }}
-      guests_disabled: {{ .registration.guests_disabled }}
+      guests_disabled: {{ .guests_disabled }}
-      registration_shared_secret: {{ .registration.shared_secret | quote }}
+      registration_shared_secret: {{ .shared_secret | quote }}
-      enable_registration_captcha:  {{ .registration.enable_registration_captcha }}
+      enable_registration_captcha:  {{ .enable_registration_captcha }}
-      recaptcha_public_key: {{ .registration.recaptcha_public_key | quote }}
+      recaptcha_public_key: {{ .recaptcha_public_key | quote }}
-      recaptcha_private_key: {{ .registration.recaptcha_private_key | quote}}
+      recaptcha_private_key: {{ .recaptcha_private_key | quote}}
-      recaptcha_bypass_secret: {{ .registration.recaptcha_bypass_secret | quote}}
+      recaptcha_bypass_secret: {{ .recaptcha_bypass_secret | quote}}
-      recaptcha_siteverify_api: {{ .registration.recaptcha_siteverify_api | quote}}
+      recaptcha_siteverify_api: {{ .recaptcha_siteverify_api | quote}}
      {{ end }}
      turn:
-        {{- toYaml .Values.configuration.turn | nindent 8 }}
+        {{- toYaml .turn | nindent 8 }}
      rate_limiting:
-        {{- toYaml .Values.configuration.rate_limiting | nindent 8 }}
+        {{- toYaml .rate_limiting | nindent 8 }}
    {{ end }}
    federation_api:
      #federation_certificates: []
      send_max_retries: {{ default 16 .Values.federationapi.send_max_retries }}
@ -110,8 +116,8 @@ stringData:
        index_path: /data/search
        language: {{ default "en" .Values.syncapi.search.language }}
    tracing:
-      {{- toYaml .Values.configuration.tracing | nindent 6 }}
+      {{- toYaml .Values.global.tracing | nindent 6 }}
    logging:
-    {{- if .Values.configuration.logging }}
+    {{- if .Values.global.logging }}
-    {{- toYaml .Values.configuration.logging | nindent 4 }}
+    {{- toYaml .Values.global.logging | nindent 4 }}
    {{ end }}
--- a/helm/dendrite/templates/service.yaml
+++ b/helm/dendrite/templates/service.yaml
@ -5,7 +5,7 @@ apiVersion: v1
 kind: Service
 metadata:
  namespace: {{ $.Release.Namespace }}
-  name: {{ $.Chart.Name }}
+  name: {{ include "dendrite.fullname" . }}
  labels:
    {{- include "dendrite.labels" . | nindent 4 }}
 spec:
--- a/helm/dendrite/templates/tests/test-version.yaml
+++ b/helm/dendrite/templates/tests/test-version.yaml
@ -0,0 +1,17 @@
 ---
 apiVersion: v1
 kind: Pod
 metadata:
  name: "{{ include "dendrite.fullname" . }}-test-version"
  labels:
    {{- include "dendrite.selectorLabels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test
 spec:
  containers:
    - name: curl
      image: curlimages/curl
      imagePullPolicy: IfNotPresent
      args:
        - 'http://{{- include "dendrite.fullname" . -}}:8008/_matrix/client/versions'
  restartPolicy: Never
--- a/helm/dendrite/values.yaml
+++ b/helm/dendrite/values.yaml
@ -4,7 +4,40 @@ image:
  # -- Kubernetes pullPolicy
  pullPolicy: IfNotPresent
-configuration:
+
 # signing key to use
 signing_key:
  # -- Create a new signing key, if not exists
  create: true
  # -- Use an existing secret
  existingSecret: ""
 # -- Default resource requests/limits.
 # @default -- sets some sane default values
 resources:
  requests:
    memory: "512Mi"
  limits:
    memory: "4096Mi"
 persistence:
  storageClass: ""
  jetstream:
    # -- Use an existing volume claim for jetstream
    existingClaim: ""
    capacity: "1Gi"
  media:
    # -- Use an existing volume claim for media files
    existingClaim: ""
    capacity: "1Gi"
  search:
    # -- Use an existing volume claim for the fulltext search index
    existingClaim: ""
    capacity: "1Gi"
 global:
  # -- Servername for this Dendrite deployment
  server_name: ""
@ -26,12 +59,6 @@ configuration:
  # to other servers and the federation API will not be exposed.
  disable_federation: false
  # signing key to use
  signing_key:
    # -- Create a new signing key, if not exists
    create: true
    # -- Use an existing secret
    existingSecret: ""
  key_validity_period: 168h0m0s
  database:
@ -64,6 +91,32 @@ configuration:
    # become popular.
    max_age: 1h
  # -- Configures phone-home statistics reporting. These statistics contain the server
  # name, number of active users and some information on your deployment config.
  # We use this information to understand how Dendrite is being used in the wild.
  report_stats:
    enabled: false
    endpoint: https://matrix.org/report-usage-stats/push
  # -- Configures the handling of presence events. Inbound controls whether we receive
  # presence events from other servers, outbound controls whether we send presence
  # events for our local users to other servers.
  presence:
    enable_inbound: false
    enable_outbound: false
  # -- Server notices allows server admins to send messages to all users on the server.
  server_notices:
    enabled: false
    # The local part, display name and avatar URL (as a mxc:// URL) for the user that
    # will send the server notices. These are visible to all users on the deployment.
    local_part: "_server"
    display_name: "Server Alerts"
    avatar_url: ""
    # The room name to be used when sending server notices. This room name will
    # appear in user clients.
    room_name: "Server Alerts"
  # prometheus metrics
  metrics:
    # -- Whether or not Prometheus metrics are enabled.
@ -75,25 +128,6 @@ configuration:
      # -- HTTP basic authentication password
      password: metrics
  # TURN server information that this homeserver should send to clients.
  turn:
    # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
    turn_user_lifetime: "24h"
    turn_uris: []
    turn_shared_secret: ""
    # -- The TURN username
    turn_username: ""
    # -- The TURN password
    turn_password: ""
  rate_limiting:
    # -- Enable rate limiting
    enabled: true
    # -- After how many requests a rate limit should be activated
    threshold: 20
    # -- Cooloff time in milliseconds
    cooloff_ms: 500
  dns_cache:
    # -- Whether or not the DNS cache is enabled.
    enabled: false
@ -139,53 +173,49 @@ configuration:
    # - msc2836    (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
    # - msc2946    (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)
 # -- Default resource requests/limits.
 # @default -- sets some sane default values
 resources:
  requests:
    memory: "512Mi"
  limits:
    memory: "4096Mi"
 persistence:
  storageClass: ""
  jetstream:
    # -- Use an existing volume claim for jetstream
    existingClaim: ""
    capacity: "1Gi"
  media:
    # -- Use an existing volume claim for media files
    existingClaim: ""
    capacity: "1Gi"
  search:
    # -- Use an existing volume claim for the fulltext search index
    existingClaim: ""
    capacity: "1Gi"
 clientapi:
-  registration:
+  # -- Prevents new users from being able to register on this homeserver, except when
-    # -- Prevents new users from being able to register on this homeserver, except when
+  # using the registration shared secret below.
-    # using the registration shared secret below.
+  registration_disabled: true
    registration_disabled: true
-    # Prevents new guest accounts from being created. Guest registration is also
+  # Prevents new guest accounts from being created. Guest registration is also
-    # disabled implicitly by setting 'registration_disabled' above.
+  # disabled implicitly by setting 'registration_disabled' above.
-    guests_disabled: true
+  guests_disabled: true
-    # -- If set, allows registration by anyone who knows the shared secret, regardless of
+  # -- If set, allows registration by anyone who knows the shared secret, regardless of
-    # whether registration is otherwise disabled.
+  # whether registration is otherwise disabled.
-    shared_secret: ""
+  shared_secret: ""
-    # -- enable reCAPTCHA registration
+  # -- enable reCAPTCHA registration
-    enable_registration_captcha: false
+  enable_registration_captcha: false
-    # -- reCAPTCHA public key
+  # -- reCAPTCHA public key
-    recaptcha_public_key: ""
+  recaptcha_public_key: ""
-    # -- reCAPTCHA private key
+  # -- reCAPTCHA private key
-    recaptcha_private_key: ""
+  recaptcha_private_key: ""
-    # -- reCAPTCHA bypass secret
+  # -- reCAPTCHA bypass secret
-    recaptcha_bypass_secret: ""
+  recaptcha_bypass_secret: ""
-    recaptcha_siteverify_api: ""
+  recaptcha_siteverify_api: ""
  # TURN server information that this homeserver should send to clients.
  turn:
    # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
    turn_user_lifetime: "24h"
    turn_uris: [ ]
    turn_shared_secret: ""
    # -- The TURN username
    turn_username: ""
    # -- The TURN password
    turn_password: ""
  rate_limiting:
    # -- Enable rate limiting
    enabled: true
    # -- After how many requests a rate limit should be activated
    threshold: 20
    # -- Cooloff time in milliseconds
    cooloff_ms: 500
    # -- Users which should be exempt from rate limiting
    exempt_user_ids:
 federationapi:
  send_max_retries: 16
@ -249,7 +279,6 @@ ingress:
  hosts: []
  className: ""
  hostName: ""
  annotateFor: ""  # one of 'openshift' or 'nginx'
  # -- Extra, custom annotations
  annotations: {}